Network News

X My Profile
View More Activity

Microsoft Issues Windows Security Patches For June

Microsoft Corp. today issued 10 security updates to mend flaws in its software products, including three "critical" fixes for problems found in most versions of its Windows operating systems. Microsoft rates a patch "critical" if hackers or computer worms can use it to take over a vulnerable machine without any action on the part of the user.

The free patches are available from Microsoft's Windows Update Web site. Home users should install them immediately. (If you don't, you could end up with a sick computer like the one I tried to resuscitate for a friend of mine the other day.)

You can make sure your Windows PC is updated automatically with the latest fixes from Redmond by following Microsoft's instructions on how to enable automatic updates.

Perhaps the most urgent patch for the average Windows home user is a bundle of security tweaks for Microsoft's Internet Explorer Web browser. Those fixes apply to IE versions running on nearly every version of Windows, including Windows 98, Windows 98 SE and Windows ME. The update fixes at least two troubles with IE, one of them rated "critical"; it involves a persistent problem in the way IE handles digital images that could let attackers take over an unpatched Windows machine just by getting the user's browser to display a specially-crafted picture.

Scam artists have used similar IE flaws to install spyware and other nasty things on Windows machines in the past, and are likely to do so with this flaw as well, said David Cole, director of product management for Symantec Security Response. Microsoft notes that instructions on how to exploit one of the IE flaws is already publicly available.

"This one's particularly nasty because images are automatically downloaded by the browser, so it's not like the user has to click on an attachment to get infected, they could just have stumbled on a malicious Web page" or visited a site hosting a tainted advertisement, Cole said. Last November, I wrote about hackers installing spyware on Windows machines by breaking into a company that serves banner ads for thousands of Web sites.

Another "critical" patch fixes a problem that has dogged the "HTML Help" feature in Windows, a function that uses Microsoft's Internet Explorer Web browser to display instructions for using a variety of computer programs. This flaw also is present in nearly all of the above-mentioned versions of Windows. Last month, I wrote about hackers using an earlier flaw in HTML Help to aid in a cyber-extortion scam targeting Windows users.

The final "critical" flaw patched today involves a problem in "server message block", which Windows uses to share files and printers across a network. This vulnerability could be used to power a network worm that spreads on its own over the Internet to unpatched systems; however, many Internet service providers routinely filter this type of traffic across their networks, so any worm leveraging this flaw would probably not spread as fast as it would have just a few years ago, Symantec's Cole said.

There is another glitch fixed in a patch rated "important" that probably deserves some attention from companies that use Microsoft's Exchange e-mail program. According to Microsoft, there's a flaw in the way the Webmail portion of this service works that could let attackers seize control over a vulnerable machine. However, the attackers would have to have a valid username and password for the target's Webmail system in order to take advantage of the glitch, Microsoft said.

It's not unusual for software patches to interfere with or break third-party software. One of the fixes released today -- a re-release of an April Microsoft patch -- may be incompatible with BlackICE on some Windows systems, according to information the company apparently passed on to the SANS Internet Storm Center. BlackIce is a software firewall product produced by Internet Security Systems. ISS says some Windows 2000 users running certain versions of BlackIce could find their firewall protection shut off if they install today's updates before upgrading to the latest edition of BlackIce. ISS urges potentially affected customers to update their version of BlackIce to the newest release, which it said does not have any conflicts with the patch.

Anyone who makes a regular habit of visiting Microsoft's security site will no doubt notice Microsoft has redecorated a bit. I can't decide if I like what they've done, but at first glance it appears to be an improvement. Stephen Toulouse, Microsoft's Security Program Manager, said the company made the changes in response to customer feedback. If you've got some thoughts on how Microsoft could make its site easier to navigate, they want to hear from you.

For the record, this month's batch of patches brings to 20 the total number of critical vulnerabilities Microsoft has identified in 2005. Last year, Microsoft released a total of 25 "critical" security fixes.

If you're interested, read my blog entries on Windows patches from last month and the ones released in April.

By Brian Krebs  |  June 14, 2005; 3:17 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: A Sunday Afternoon House Call
Next: Britney Spears Tops Celebrity Virus Ranking


Brian, I just have to ask. Spending as much time fixing an infected computer as your friend's would have normally cost as much as a decent laptop had you charged say $70/hr. This individual case aside, what would a shop normally do in a situation like this with a lost CD? I suppose it would depend on the value of the data stored, but surely it would be a fresh install with a new copy of XP plus at least a minimum of all the security programs we need to keep a computer clean. I guess what bothers me the most is that a computer owner not finding out what is needed for security in the first place. The news is everywhere. There is good advice and free firewalls, antivirus, and spyware programs to keep the bad stuff off. Didn't do the updates? For shame! The data on a machine can't be worth any more than the effort the owner puts into keeping it safe. Apparently computers are not sold in a safe condition and the computer manufacturers don't seem to be too concerned about their customers safety. Too bad. I am sure they could work out some way to bundle the software package with a non-expiring free version of ZoneAlarm, AVG or Avast! antivirus and SpywareBlaster. And of course the beta anti-spyware is free from Microsoft. And Links to all the good spyware removers. Gotta keep it off in the first place. Ken in Puyallup,WA

Posted by: Ken in Puyallup, WA | June 15, 2005 5:59 PM | Report abuse


Posted by: MORE-TRADE | June 29, 2005 7:58 AM | Report abuse


Posted by: MORE-TRADE | June 29, 2005 8:02 AM | Report abuse

Very good site, congratulations! zeus motorcycle helmet

Posted by: zeus | April 17, 2006 11:46 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company